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DETAILED ACTION 
Priority 

1 . Acknowledgment is made of applicant's claim for foreign priority under 35 
U.S.C. 119(a)-(d). The certified copy has been filed in parent Application No. 
PCT/US03/016817, filed on 30 May 2003. 

Claim Objections 

2. Applicant is advised that should claim 3 be found allowable, claim 4 will be 
objected to under 37 CFR 1 .75 as being a substantial duplicate thereof. When two 
claims in an application are duplicates or else are so close in content that they both 
cover the same thing, despite a slight difference in wording, it is proper after allowing 
one claim to object to the other as being a substantial duplicate of the allowed claim. 
See MPEP § 706.03(k). 

Claim Rejections - 35 USC § 102 

3. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the Invention was patented or described in a printed publication in this or a foreign country or in public 
use or on sale in this country, more than one year prior to the date of application for patent in the United 
States. 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

4. Claims 1, 2, 5-8, and 10-17 are rejected under 35 U.S.C. 102(e) as being 
anticipated by John B. Beavers (US PGPub 2003/0221 123 A1 , hereafter Beavers). 
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Regarding claim 1, Beavers teaches a networl< security system, comprising: 
a static policy data store [set of rules, claim 1]; 

a dynamic policy data store [decision table, claim 1 ; dynamic threat table, 
paragraph 54; dynamic tracking table, paragraph 98]; 

an authorization enforcement facility (AEF) [alert processing system, claim 12, 
figure 5 (63)] in communication with said static policy data store [(27)] and said dynamic 
policy data store [(31 )] and operable to perform a risk-aware analysis of a connection 
[matching and declaring an incident, claim 1]. 

Regarding claim 2, Beavers teaches that the static policy data store comprises at least 
one of a constraint, a role, a node-role assignment, a threshold value [a threshold value 
from a user-editable table, claim 5], a node value, a service value, and an action value. 

Regarding claim 5, Beavers teaches that the dynamic policy data store comprises a 
threat level table [table with threat characterizations, claim 5]. 

Regarding claim 6, Beavers teaches that the system is further operable to generate a 
response to said connection [an action as a mitigating response can be taken, 
paragraph 39]. 
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Regarding claim 7, Beavers teaches that the response comprises at least one of 
blocking the source of said connection from connecting to an intended destination [an 
action as a mitigating response can be taken. An example would be to shut down a web 
server that is suspected of being compromised, paragraph 39], altering said intended 
destination of said connection [after an alert, the information is trashed or diverted at 
line 25, paragraph 33], and auditing said connection [paragraph 3]. 

Regarding claim 8, the claim recites the same limitations as claim 7 and is rejected by 
the same rationale. 

Regarding claim 10, Beavers teaches that the system comprises a router, a gateway, a 
hardware appliance [firewall, IDS, router, etc., paragraphs 105-1 14], or a web server 
[claim 15], 

Regarding claim 1 1 , Beavers teaches that the system further comprises a firewall 
[paragraph 109] in communication with said AEF [alert processing system]. 

Regarding claim 12, Beavers teaches that the system further comprises an intrusion 
detection system [IDS, paragraph 1 13] in communication with said AEF [alert 
processing system]. 



Regarding claim 13, Beavers teaches a method comprising: 
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receiving a static policy data attribute from a static policy data store [set of rules, 
claim 1; Fig 5 (27)]; 

receiving a connection request directed to a node [paragraphs 2-3] 

receiving a dynamic policy data attribute from a dynamic policy data store 
[decision table, claim 1; Fig 5 (31)]; 

determining whether said connection request is anomalous based at least in part 
on said static policy data attribute [set of rules, claim 1] and at least in part on said 
dynamic policy data attribute [decision table, claim 1]. 

Regarding claim 14, the claim comprises the limitations of claims 13 and 6 and is 
rejected by the same rationale. 

Regarding claim 15, the claim comprises the limitations of claims 14 and 7 and is 
rejected by the same rationale. 

Regarding claim 16, Beavers teaches updating said dynamic policy data attribute in said 
dynamic policy data store based on a result of said determining [incident tracking rules 
can be automatically updated based on one or more further alert indications, paragraph 
15]. 

Regarding claim 17, Beavers teaches increasing a threat level if the connection request 
is determined to be anomalous [If the non-condition alert passes the threshold, this 
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information can be added to existing incident ticl<ets, and the incident ticket tracking 
rules can be updated w'rth this information, paragraph 97; the rules referencing the table 
with the time, the status, the threat level, and an incident description, paragraph 40], 

Claim Rejections - 35 USC § 103 

5. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

6. Claims 3 and 4 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Beaver in further view of Frederick M. Avolio {Best Practices in Network Security, 
hereafter Avolio). 

Regarding claim 3, Beaver states that the threshold value can be a level of severity 
[paragraph 13] and that severity is defined on a scale of 1-5 (1 being the highest threat) 
[paragraph 36], Beaver does not explicitly disclose that the threshold value is inversely 
proportional to the node value. 

However, Avolio teaches (page 2 column 3) that the severity of a threat is based 
upon the value of the object being secured. It would have been obvious at the time that 
the invention was made to combine these teachings such that the higher the value of an 
object, the lower the threshold value is set, i.e., setting the threshold value inversely 
proportional to the node value. 
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Beaver and Avolio are analogous subject matter in the same field of endeavor as 
both cover network security. One of ordinary skill in the art would have been motivated 
to combine the threshold-severity relation taught by Beavor with the severity-value 
relation taught by Avolio because doing so allows for a basis by which to set the 
severity, and hence the threshold, level for object. Therefore, the claimed invention as a 
whole would have been "prima facie obvious" to one of ordinary skill at the time the 
invention was made. 

Regarding claim 4, the claim recites the same limitations as claim 3 and is rejected by 
the same rationale. 

7. Claim 9 is rejected under 35 U.S.C. 103(a) as being unpatentable over Beaver as 
exemplified by Tom Chmielarski {Intrusion Detection FAQ: Reconnaissance Techniques 
using Spoofed iP Addresses, hereafter Chmielarski). 

Regarding claim 9, Beaver teaches that a countermeasure may be taken and that the 
countermeasure may comprise a passive countemieasure [an action as a mitigating 
response can be tal<en. An exampie would be to sliut down a web server that is 
suspected of being compromised, paragraph 39]. 

Beaver does not explicitly disclose that the countemieasure comprises an active 
countermeasure. 
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However, Chmielarski teaches both active and passive countermeasures [whole 
document] in the context of intrusion detection systems. 

Beaver and Chmielarski are analogous subject matter in the same field of 
endeavor as both cover intrusion detection systems. One of ordinary skill in the art 
would have been motivated to combine the general countermeasures taught by Beaver 
with the active countemneasures taught by Chmielarski because doing so allows for the 
system to analyze and understand methods used by attackers and better protect 
against further attacks. Therefore, the claimed invention as a whole would have been 
''prima facie obvious" to one of ordinary skill at the time the invention was made. 

Conclusion 

8. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

a. Bernhard; Thomas et al. System, metliod and computer program product for 
automatic response to computer system misuse using active response modules 
US 6275942 B1 (Describes a system to monitor and respond to anomalies.) 

b. Lermuzeaux; Jean-Marc et al. Facility for detecting intruders and suspect callers 
in a computer installation and a security system including such a facility US 
5621889 A (Describes a system to monitor and respond to anomalies.) 

c. Campbell; Wayne A. et al. Method and system for detecting intrusion into and 
misuse of a data processing system US 6839850 B1 (Describes a system to 
monitor and respond to anomalies.) 
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d. Judge; Paul et al. Systems and methods for adaptive message interrogation 
through multiple queues US 7089590 B2 (Describes a system to monitor and 
respond to anomalies.) 

e. Hu; Wei-Ming. Network request distribution based on static rules and dynamic 
performance data US 6173322 B1 (Describes a system to monitor and redirect 
requests.) 

f. Nessett; Danny M. et al. Multilayer firewall system US 59681 76 A (Describes a 
network security system Including packet filtering and inspection.) 

g. Thomas; R.K. et al. Task-based Authorization Controls (TBAC). IFIP (Describes 
task and role-based authorization methods.) 

Any inquiry concerning this communication or eariier communications from the 
examiner should be directed to Imad Hussain whose telephone number is 571-270- 
3628. The examiner can nomially be reached on Monday through Thursday from 0730 
to 1700. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Beatriz Prieto can be reached on 571-272-3902. The fax phone number for 
the organization where this application or proceeding Is assigned Is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status infomiation for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



Imad Hussain 
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SUPERVISORY PATENT EXAMINER 



